Package: lua-cgi Severity: important Tags: security upstream Control: found -1 5.2~alpha2-1
Hi, The following vulnerability was published for lua-cgi. CVE-2014-2875[0]: | The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses | weak session IDs generated based on OS time, which allows remote | attackers to hijack arbitrary sessions via a brute force attack. NOTE: | CVE-2014-10300 and CVE-2014-10400 were SPLIT from this ID. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-2875 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2875 Please adjust the affected versions in the BTS as needed. Cheers! Sylvain Beucler Debian LTS Team